AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-hvp3-26wx-g2w4: Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

lowvulnerability

security

Source: GitHub Advisory DatabaseMay 13, 2026CVE-2026-22706

Summary

In Strapi versions before 5.33.3, resetting a user's password did not automatically cancel existing refresh tokens (credentials that allow generating new access tokens without re-logging in), so an attacker with a stolen refresh token could continue accessing the account even after the legitimate user changed their password. This vulnerability affected the admin and users-permissions components and had a CVSS score (a 0-10 rating of how severe a vulnerability is) of 2.1, indicating low severity.

Solution / Mitigation

Immediately update Strapi to version 5.33.3 or later. The patch invalidates all refresh tokens associated with a user whenever their password is changed or reset, regardless of device identification.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 13, 2026

Classification

Attack SophisticationModerate

Affected Vendors

Affected Packages

@strapi/plugin-users-permissions@<= 5.33.2 (fixed: 5.33.3)@strapi/admin@<= 5.33.2 (fixed: 5.33.3)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-hvp3-26wx-g2w4

First tracked: May 13, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%